When the United Kingdom's National Cyber Security Center (NCSC) performs operational tasks, they may find vulnerabilities in software, hardware, websites, or critical infrastructure. When they find these vulnerabilities, they go through a review process called the "Equities Process" that determines if they are going to disclose the vulnerability so that it is fixed or if they will keep it to themselves for use during intelligence gathering.
The NCSC*explained this week that when they find a vulnerability, their starting position is to responsibly*disclose it.* They then review the vulnerabilities through a series of groups to weigh*whether the vulnerability has more value being kept private so that they can be used to protect the United Kingdom and its allies or if it is more important to disclose the vulnerability so that it is fixed.
"The Equities Process provides a mechanism through which decisions about disclosure are taken. Expert analysis, based on objective criteria, is undertaken to decide whether such vulnerabilities should be released to allow them to be mitigated or retained so that they can be used for intelligence purposes in the interests of the UK," explained the NCSC. "The starting position is always that disclosing a vulnerability will be in the national interest."
As part of the Equities Process there are three groups of people involved in this review process as described below.

  1. The Equities Technical Panel (ETP), made up of a panel of subject matter experts from across the UK Intelligence Community including the NCSC.
  2. The GCHQ Equity Board (EB), which includes representation from other Government agencies and Departments as required. The Chair of the Equity Board is a senior civil servant with appropriate experience and expertise, usually drawn from the NCSC, and answerable in this role to the Chief Executive Officer (CEO) of the NCSC.
  3. The Equities Oversight Committee, chaired by the CEO of the NCSC, which ensures the Equities Process is working appropriately and in accordance with specified procedures. This Committee also advises the CEO of the NCSC on equity decisions escalated from the Equity Board.

When a new vulnerability submission is received, the Equities Technical Panel apply various criteria to determine it should be retained or disclosed.* These criteria include determining if disclosing the vulnerability would have a negative impact on the UK's security, whether it could be used for intelligence operations, or whether there is too much risk to the UK and its allies by not releasing it.
If a vulnerability is determined to be retained, then it goes through a series of increasingly senior level groups who review the vulnerability. Unless there is a consensus that the vulnerability should be retained, it is responsibly*disclosed to the vendor or organization. This review process is illustrated in the flow chart below.
Equities Process Flow Chart
There are some exceptions that may cause a vulnerability to not be reviewed under the Equities Process. This includes whether the vulnerability was disclosed to the UK by an ally who performed a similar review process, when the software is no longer supported and thus there is no way to patch it, or if the vulnerability was purposely designed that way by the developer.
If it is decided to retain the vulnerability, it will go through the same review process at least every 12 months or sooner as required.
This type of review process is not unique to the United Kingdom and other countries such as the U.S.A. have their own "Vulnerabilities Equities Policy and Process".